The California Attorney General recently released a series of guidelines to assist with compliance with the California Online Privacy Protection Act of 2003 (CalOPPA), which was amended to require new data collection and Do Not Track disclosures. These guidelines offer assistance regarding the form and content of operators’ privacy policies. The AG has stated she will actively enforce operators’ compliance with CalOPPA, including through litigation. Operators of websites and online services that are used or visited by California residents should ensure as soon as possible that their privacy policies comply with the AG’s guidelines.
California Online Privacy Protection Act’s New Requirements Regarding Data Collection and Do Not Track Disclosures.
The California Attorney General’s CalOPPA Recommendations for Compliance
On May 21, 2014, the Privacy Enforcement and Protection Unit (the “Privacy Unit”) of the California Attorney General’s Office issued “Making Your Privacy Practices Public,” which provides detailed, specific guidance regarding how operators of websites and online services should implement the requirements of CalOPPA as amended. These recommendations, which are summarized below, cover not only the disclosures required in operators’ privacy policies, but also the style and format of the policies.
Guidance on New Disclosure Requirements Do-Not-Track:
Collection of personally identifiable information by third parties:
Guidance on Pre-2014 CALOPPA Disclosure Requirements
Security safeguards: The AG recommends that privacy policies describe the security measures used to safeguard personal information in the operator’s care and the measures used to control information security practices of third parties with whom the operator shares consumers’ personal information.
The Attorney General’s Office has indicated that it will actively enforce operators’ compliance with the Attorney General’s CalOPPA recommendations. In an interview given to The New York Times, a member of the Privacy Unit stated that the Attorney General’s Office “would review companies’ privacy policies and work with them to make sure they followed the new law. Those who don’t comply will receive 30-day warnings before facing potential litigation from the state.”3